Source types and CIM data model info
The Splunk Add-on for Windows provides Common Information Model information, the index-time and search-time knowledge for Windows events, metadata, user and group information, collaboration data, and tasks in the following formats.
| Source type | Description | CIM data model(s) |
|---|---|---|
fs_notification
|
File system notification changes | Change Analysis |
NTSyslog:*
|
Windows Event Log data | n/a |
Snare:*
|
Windows Event Log - Snare | n/a |
WinEventLog:
|
Windows Event Log | Inventory |
DhcpSrvLog
|
Microsoft DHCP Server Log information | Network Sessions |
MonitorWare:Application
|
MonitorWare - Application Event Log | n/a |
WindowsUpdateLog
|
Windows Update log file | n/a |
WinHostMon
|
Windows host monitoring log | Inventory, Performance |
WinRegistry
|
Windows Registry changes | Change Analysis |
wmi
|
Information collected through Windows Management Instrumentation (WMI) | n/a |
WMI:ComputerSystem
|
Computer system information collected through WMI | Performance |
Perfmon:CPUTime
|
CPU usage time collected the through Performance Monitor input | Performance |
WMI:CPUTime
|
CPU usage time collected the through WMI | Performance |
Perfmon:FreeDiskSpace
|
Free Disk Space provided by the Performance Monitor input | Performance |
Perfmon:LogicalDisk
|
Information about logical disks on the system, provided by the Performance Monitor input | Performance |
WMI:FreeDiskSpace
|
Free Disk Space provided by WMI | Performance |
WMI:LogicalDisk
|
Information about logical disks on the system, provided by WMI | Performance |
Perfmon:LocalNetwork
|
Network statistics provided by the Performance Monitor input | Performance |
WMI:LocalNetwork
|
Network statistics provided by WMI | Performance |
Script:InstalledApps
|
List of installed applications | n/a |
WMI:InstalledUpdates
|
List of installed updates/packages provided by WMI | Updates |
Script:ListeningPorts
|
List of network ports that listen for traffic | n/a |
WMI:LocalProcesses
|
Information on processes running locally, provided by WMI | Application State |
Perfmon:Memory
|
Memory information provided by the Performance Monitor input | Performance |
WMI:Memory
|
Memory information provided by WMI | Performance |
WMI:Service
|
Information on services running locally, provided by WMI | Application State |
Script:TimesyncConfiguration
|
Information on time synchronization service configuration | n/a |
Script:TimesyncStatus
|
Information on time synchronization status | n/a |
WMI:Uptime
|
Information on system uptime, provided by WMI | Performance |
WMI:UserAccounts
|
Information on configured user accounts, provided by WMI | Inventory |
WMI:Version
|
Information on the system version, provided by WMI | Inventory |
CIM data model tag population
| Source type | Tags |
|---|---|
| Alerts | alert |
| Application State |
listening |
| Authentication |
authentication |
| Change Analysis |
account |
| Compute Inventory |
cpu |
| Databases |
database |
| JVM |
classloading |
| Network Resolution (DNS) |
dns |
| Network Sessions |
dhcp |
| Network Traffic |
communicate |
| Performance |
cpu |
| Splunk Audit Logs | error |
| Splunk CIM Validation |
listening |
| Ticket Management |
change |
| Updates |
error |
| Vulnerabilities |
report |
| Use the Splunk Add-on for Windows |
This documentation applies to the following versions of Splunk® Add-on for Windows: 4.7.0, 4.7.1, 4.7.2, 4.7.3, 4.7.4, 4.7.5, 4.8.0, 4.8.1, 4.8.2, 4.8.3, 4.8.4
Download manual
Feedback submitted, thanks!